Understanding CFR IT Requirements.

How to bring your network and data into compliance with the Code of Federal Regulations


Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. Part 11 defines the conditions under which electronic records and signatures are deemed to be trustworthy, and lays out requirements for the audit and validation of computer systems which regulated companies must meet. One set of requirements for organizational data deals with “closed systems,” which are defined as “an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.” Unstructured data on organizational file servers are considered closed systems that must meet Part 11 requirements, if the data on them is subject to FDA regulation. Part 11 states specifically that “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records.”

Key IT Requirements

Requirement Description Varonis Product/Feature
Part 11 Closed System Requirement (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Varonis collects metadata from file system permissions, user and group repositories, access activity, and sensitive content within files to ensure that security access policies for unstructured and semi-structured data are appropriate and monitored for changes.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. By properly aligning security groups and members with data sets, Varonis can help ensure that records on unstructured file and semi-structured systems are properly protected so that only the correct people can access the records, and all access is monitored.
(d) Limiting system access to authorized individuals. Varonis DatAdvantage can help identify where data is overexposed as well as make intelligent recommendations on where excess access can be removed, helping to ensure a least privilege model where only authorized individuals can access file system data.
(e) Use of secure, computer-generated, timestamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Varonis DatAdvantage provides a complete, accurate, and usable audit trail of every file touch on monitored systems, including every open, create, move, modify, and delete of every file, by every user. DatAdvantage’s audit trail is stored in a normalized database that allows for retention and storage for as long as is required.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. With DataPrivilege, organizations can implement data access workflows that will enable and enforce access authorization and review procedures.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Varonis can provide automated, data driven reports to data owners to help verify that only authorized individuals have access. With DataPrivilege, organizations can implement automated entitlement reviews to ensure that period authority checks are being done.
(k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation. Varonis can provide the same data protection to documentation as it can to other electronic data stored on monitored systems.DatAdvantage’s audit trail will record every file touch to documentation stored on monitored servers.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767